As defined herein, fraud encompasses intentional deception made for personal gain or to damage another entity (e.g., a company and/or an individual). Defrauding entities of money or valuables is a common purpose of fraud. An example of fraud in the mobile telecommunications field is subscribers (users) who undertake deception in an attempt to be charged less for services than they should be charged according to their tariffs, which have been agreed with their operator.
A specific type of fraud in the mobile telecommunications field occurs in a Policy and Charging Control (PCC) architecture. The PCC architecture permits integration of both policy and charging control. An exemplary architecture that supports PCC functionality is shown in FIG. 1, which has been taken from Third Generation Partnership Protocol (3GPP) TS 23.203. 3GPP TS 23.203 specifies the PCC functionality for an Evolved 3GPP Packet Switched domain, including both 3GPP accesses and Non-3GPP accesses. 3GPP accesses include for example, Global System for Mobile Communications (GSM) Enhanced Data rates for GSM Evolution (EDGE) Radio Access Network (GERAN), Universal Terrestrial Radio Access Network (UTRAN) and Evolved UTRAN (E-UTRAN).
Referring to FIG. 1, a subscription profile repository (SPR) 100 is in electrical communication with a policy and charging rules function (PCRF) 102 via an Sp interface. The PCRF 102 is also in electrical communication with: a bearer binding and event reporting function (BBERF) 104 via an S7x interface; a traffic detection function (TDF) 106 via an Sd interface; a policy and charging enforcement function (PCEF) 108 via a Gx interface; and an application function (AF) 110 via an Rx interface. The PCEF 108 may form part of a gateway 112. The gateway 112 is in electrical communication with a service data flow based credit control function 114 via a Gv interface. The service data flow based credit control function 114 forms part of an online charging system (OCS) 116. The gateway 112 is in electrical communication with an offline charging system (OFCS) 118 via a Gz interface.
To aid description of the methods and apparatus disclosed herein, certain features of FIG. 1 are discussed below.                The PCRF 102 is a functional element that performs policy control decision and flow based charging control. The PCRF 102 provides network control regarding service data flow detection, gating, quality of service and flow based charging (except credit management) towards the PCEF 108        The PCEF 108 provides service data flow detection, policy enforcement and flow based charging functionalities. Deep packet inspection (DPI) functionality embedded in the PCEF 108 supports packet inspection and service classification, which may be undertaken on Internet protocol (IP) packets classified according to a configured tree of rules so that they are assigned to a particular service session        The TDF 106 may be a stand-alone function or may be collocated with the PCEF 108. The DPI functionality may complementary or alternatively be embedded in the TDF. The reader is directed to 3GPP TR 23.813 for further details        The Sd reference point (or interface) is defined in 3GPP TS 29.212 and lies between the PCRF 102 and a standalone TDF 106        The Gx reference point is defined in 3GPP TS 29.212 and lies between the PCRF 102 and the PCEF 108        The Gy reference point is defined in 3GPP TS 32.299 and lies between the PCEF 108 and the OCS 116        The SPR logical entity contains all subscriber/subscription related information needed by the PCRF 102 for subscription-based policies and IP connectivity access network (CAN) bearer level PCC rules        
Online charging solutions based on a PCC architecture such as that shown in FIG. 1 charge for end-user traffic based on predefined tariffs. Those tariffs are established according to user subscription data and a mobile operator's strategy. Additionally, the mobile operator may apply a service classification to charge each of a plurality of services in a different way.
There are a number of software programs that try to commit fraudulent activity by confusing a mobile operator's detection algorithms, which are designed to detect fraudulent user behaviour. The software programs aim to have traffic mistakenly classified as a free service or a cheaper service than it should have been according to a user's tariff. Exemplary software programs may obfuscate original traffic by disguising it as a new type of traffic. In this way software programs may seek to gain more credit than a user is entitled to. So, fraudulent traffic may try to cause an incorrect classification of that traffic into a category other than the real one to which the traffic belongs. This fraudulent traffic is intended to be categorized as a cheaper service, typically a free service.
For detection of fraudulent traffic generated by end users on the Internet, a large amount of online data analysis is required in the PCEF 108. This type of analysis consumes CPU and memory resources in the PCEF 108.